New EU data protection rules – early preparation is key

May 25, 2016

With only two years to go before the EU’s new data protection rules apply, Stephen Ridley, acting Head of Technology, Cyber and Data at Hiscox, urges small businesses not to delay their preparations to comply.…

On the 4 May, the European Union’s long debated General Data Protection Regulation (GDPR) was finally signed off by the European Parliament and will apply for all member states from the 25 May 2018.

Intended to help safeguard data protection rights for individuals, the GDPR introduces a single set of rules across the EU when it comes to how companies handle data relating to individuals. And because it’s a regulation rather than a directive, it has direct effect, which means that companies will have to be completely compliant by the application date.

It’s regulation with real teeth too. Fines for companies that fail to comply, come in two tiers. At the lower end there are fines of up to 2% of turnover or €10 million (whichever is the higher) relating to more administrative issues such as the failure to:

The fines step up again for actual data breaches and represent 4% of global turnover or €20 million – again, whichever is the higher.

Get on the front foot

It is very important that businesses of all sizes get on the front foot in terms of compliance with the GDPR. The longer you leave it then the harder and the more expensive it will be to get the expertise needed to comply. A whole new industry will soon sprout up of consultants looking to assist companies with the GDPR and as they become more in demand, prices will go up.

Ignorance of the regulation will not be a defence either warns Kathryn Wynn, a Senior Associate for law firm Pinsent Masons, “At the moment, small businesses with limited resources need to prioritise and so may focus on the high risk issues only. Under the current regime, data protection will not necessarily be a high risk priority. However, the tougher sanctions regime under the GDPR could lead to a change in the risk rating given to data protection,” she says.

“Under the GDPR a business must not only have an effective data protection policy in place but it must also be a living, breathing policy that is properly implemented and well communicated to all employees.”

What if there’s a Brexit?

Of course, the UK leaving the EU might change things but there will undoubtedly be an update to the UK’s data protection legislation and the powers that the regulator – the Information Commissioner’s Office – has, regardless of what happens with the EU referendum. And even if the UK does come out of the EU, any businesses that want to deal with companies in the EU will still be bound by the GDPR. It will have a seismic impact on UK businesses whether we vote leave or vote remain.

Consistency to data protection

While it will raise the regulatory burden, many think the GDPR brings much needed consistency to data protection rules. Right now we’re working within a framework for data protection that is 20 years’ old – a time when people weren’t readily giving away their data. We’ve seen many cases where companies have embarked on new projects but haven’t paid as much attention to the security of their data as they should and it’s clear that many businesses do need to take more responsibility for data protection. Whatever the case, the earlier that businesses – from the smallest one person operations upwards – plan for GDPR, the better their position come 25 May 2018.